WIXLIB

PRIVACY & DATA SECURITY 2019:BUILDING A WRITTEN INFORMATION SECURITY PLANKARIN MCGINNIS AND TODD TAYLOR, MOORE & VAN ALLEN, PLLCMIKE HOLLAND AND JEFFERSON PIKE, FORTALICE SOLUTIONSFebruary 21, 2019

Why a WISP? A WISP can help reduce security incidents. Some laws require a security plan. A WISP can help show compliance with other laws. A WISP (if implemented) can help defend against claims (i.e.,negligence). A WISP is useful in obtaining cyber insurance. Framework for testing your company’s information security.2

Fines under the GDPR – CNPD/Portugal Barreiro-Montijo Hospital Centerallowed others access to patient files that should have been reserved tophysicians; maintained 985 active physician accounts but only 285 doctors were active. CNPD foundhospital lacked technical and organizational measures necessary to ensuresecurity of personal data (e.g., lacked adequate internal rules for accountcreation and granting different levels of access to clinical information). Violation of GDPR Article 5(1)(f). 3 400,000 fine imposed

Laws Requiring WISP or Data Security Procedures

State Data Security LawsCurrently, at least 22 states have some form of general data securityrequirement: wareFlorida sMinnesota* NebraskaNevadaNew MexicoOregonRhode IslandTexasUtahVermont*

Special State LegislationSC Insurance Data Security Act(S.C. Code §§ 38-99-10 to 38-99-100) 6Requires persons subject to licensing pursuant to S.C. insurance laws to develop,implement and maintain comprehensive written information security programcontaining administrative, technical and physical safeguards to protect NPI and theinsurer’s information system.

Ohio: WISP as Defense to Tort ClaimsA.Affirmative defense under ORC §§ 1354.01- 1354.05 to tort actions alleging failure toimplement reasonable information security controls if the covered entity creates, maintains, and complies with a risk based writtencybersecurity program containing administrative, technical, and physical safeguardsfor protection of PI (and restricted information, if applicable), and program reasonably conforms to an industry recognized framework.B.The program must be designed to: protect the security and confidentiality of the information; protect against any anticipated threats or hazards to the security or integrity of theinformation; and protect against unauthorized access to and acquisition of the information that is likelyto result in a material risk of identity theft or other fraud to the individual to whomthe information relates.7

ORC: Reasonable Industry StandardsA. Frameworks/Standards: NIST Framework for Improving Critical Infrastructure Cybersecurity; NIST Special Publication 800-171; NIST Special Publications 800-53 and 800-53a; FedRAMP Security Assessment Framework; CIS Critical Security Controls for Effective Cyber Defense; (ISO) 27000 Standards.When a final revision to a framework is published, a covered entity whose cybersecurityprogram reasonably conforms to that framework must reasonably conform to the revisedframework not later than one year after the publication date stated in the revision.B. If already regulated by federal or state law (GLBA, HIPAA, HiTECH or FISMA), compliancewith any cyber security requirements of that program suffices.C. Compliance with BOTH current versions of PCI-DSS and the standards in A.8

State Data Security Laws Most states simply require that the entity implement and maintain reasonablesecurity practices appropriate to the nature of the information to protect fromunauthorized access, destruction, use, modification or disclosure. AL, CT, MA, NV, OR and VT have more robust requirements. AR, CA, CO, IL, MD, NE, NV, NM and RI require entity to impose obligations onvendor/service provider. CT, MA and VT require WISP.9

AlabamaReasonable security measures security measures practicable to implement and maintain,including consideration of all of the following: Designation of employee to coordinate security measures to protect against breach; Identification of internal and external risks of a breach; Adoption of appropriate information safeguards to address identified risks of a breach,and assess the effectiveness of such safeguards; Retention of service providers that are contractually required to maintain appropriatesafeguards for sensitive personally identifying information; Evaluation and adjustment of security measures to account for changes in circumstancesaffecting the security of sensitive personally identifying information; Keeping management of the covered entity appropriately informed of the overall status ofits security measures.Ala. Code 8-38-3 (Section 3) Secure disposal of personally identifiable information (Section 10).10

Massachusetts Standards for the Protection of PersonalInformation (201 CMR §§17.01 & 17.03) Imposes detailed obligations on person or entity that owns orlicenses personal information (paper or electronic) ofMassachusetts residents to develop, implement, and maintain acomprehensive written information security program. These are minimum standards.11

Massachusetts Standards for the Protection of Personal Information(201 CMR §17.03(1))Must contain administrative, technical, and physical safeguardsthat are appropriate to:12 the size, scope, and type of business; the amount of resources available; the amount of stored data; and the need for security and confidentiality of both consumer and employeeinformation.

Massachusetts Standards for the Protection of Personal Information(201 CMR §17.03(2))Every information security program shall include:13 Responsible Persons Vendor Oversight Risk Assessment Restrictions on Physical Access Employees/Employer Training Monitoring of the program Discipline Audits Limit Access by terminatedemployees Security Incident Documentation

Massachusetts – New Massachusetts data breach statute amendment effective April11, 2019. Requires data breach notice (to consumers and regulators)stating whether the company has a WISP. Means regulators will know if the company is not complyingwith the WISP requirement under state law, and the companywill face fines/penalties.14

LawyersNC State Bar 2011 FEO 7: States that a lawyer has 15affirmative duties to educate himself regularly as to the security risks of onlinebanking;to actively maintain end-user security at the law firm through safety practicessuch as strong password policies and procedures, the use of encryption andsecurity software, and the hiring of an information technology consultant toadvise the lawyer or firm employees; andto insure that all staff members who assist with the management of the trustaccount receive training on and abide by the security measures adopted by thefirm.

EU General Data Protection RegulationArticle 32 of the GDPR requires the following:“Taking into account the state of the art, the costs of implementation and the nature,scope, context and purposes of processing as well as the risk of varying likelihood andseverity for the rights and freedoms of natural persons, the controller and theprocessor shall implement appropriate technical and organisational measures toensure a level of security appropriate to the risk account shall be taken in particularof the risks that are presented by processing which could lead to physical, materialor non-material damage.”16

GDPR, Art. 32 Measures to ensure an appropriate level of security include:Encryption: the pseudonymisation and encryption of personal data; Systems: the ability to ensure the ongoing confidentiality, integrity, availability andresilience of processing systems and services; Restoration: the ability to restore the availability and access to personal data in atimely manner in the event of a physical or technical incident; Auditing: a process for regularly testing, assessing and evaluating the effectiveness oftechnical and organisational measures for ensuring the security of the processing.GDPR, Art. 32(1)(a) 17Adherence to an approved code of conduct as referred to in Article 40 or an approvedcertification mechanism as referred to in Article 42 may demonstrate compliance.GDPR, Art.32(3)

Gramm-Leach-Bliley Act (15 USC §6801) Requires financial institutions to implement safeguards to protect consumer information. Individual regulators have imposed detailed regulations and guidance regarding informationsecurity program requirements (e.g., Interagency Guidelines Establishing Information SecurityStandards). Reasonable technical, physical and administrative protections include: 18Responsible Person: designation of one or more employees to coordinate the program;Risk Assessment: conducting risk assessments;Safeguards: implementation of safeguards to address risks identified in risk assessments;Vendors: oversight of service providers; andAuditing: evaluation and revision of the program in light of material changes to the financialinstitution's business.

NY Dept of Financial Services (NY DFS) Cybersecurity Regulations (23NYCRR Part 500) Effective March 1, 2017. Applicable to entities that are subject to licensing by NY DFS. Covered entities are required to maintain a cybersecurityprogram designed to protect the confidentiality, integrity, andavailability of the company’s information system. Requires procedures and policies to protect informationsystems and nonpublic information on the systems.19

NY DFS Cybersecurity Regulations (23 NYCRR Part 500)Components: 20Risk assessmentIncident responseInfo securityNetwork and systems securityData governance/classificationAccess controls/id managementContinuity/disaster recovery Continuity/disaster recoverySystems/network monitoringPhysical securityVendor managementData disposal

PCI-DSS Requirements Imposed by Major Card Brands with regards toprotection of Cardholder Data. Applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and serviceproviders.21

Other Federal Laws for Reference HIPAA Security Rule – Requires covered entities to maintain appropriate administrative, physicaland technical safeguards to ensure the confidentiality, integrity, and security of electronicprotected health information. Federal Trade Commission Act, Section 5(n) – Defines an unfair act or practice as an: “act orpractice [that] causes or is likely to cause substantial injury to consumers which is not reasonablyavoidable by consumers themselves and not outweighed by countervailing benefits to consumersor to competition.” The FTC has brought claims under the unfairness prong of Section 5(a) based on failure tohave adequate data security measures – though many of these cases ended in settlement(e.g., U.S. v. Choicepoint, Civ. Action No. 1 06-CV-0198 (ND Ga. 2006)). Security program is often part of consent decrees/settlements with FTC (e.g., Uber). FTC Start with Security: A Guide for Business – Offers ten lessons learned from its data securityenforcement actions, with practical guidance on how to reduce risks for all businesses.22

DRAFTING A WISP

Process – Risk Assessment Types of information held, applicable laws and potentialvulnerabilities. Valuable to have a third party certified entity perform it. Consider industry data (i.e., Advisen) showing higher targetedindustries – healthcare, finance and insurance – because valueof data. What higher risk practices does the business engage in? 24e.g., if frequent wire transfers, consider BECs/wire fraud.

Example: BECs and Ransomware BECs are happening regularly in the CarolinasFortalice has worked cases with MVA Law - BEC and cyber fraud Companies need a cybersecurity process to follow Awareness of phishing, proper cyber tools and a foundational cybersecurityprogram are critical Ransomware— is also happening here – just ask the IT team atMecklenburg CountyPractice a digital disaster before one occurs, not as it happens Take steps to prevent: increase password protections, change open remote portfrom the default port, multifactor authentication 25Then Audit and Monitor for compliance